SSCP Exam Questions

Total 1048 Questions

Last Updated Exam : 16-Dec-2024

Topic 1: Access Control

Which of the following access control models introduces user security clearance and data
classification?


A.

Role-based access control




B.

Discretionary access control


C.

 Non-discretionary access control


D.

Mandatory access control





D.
  

Mandatory access control



The mandatory access control model is based on a security label system.
Users are given a security clearance and data is classified. The classification is stored in
the security labels of the resources. Classification labels specify the level of trust a user
must have to access a certain file.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 4: Access Control (Page 154).

In the context of access control, locks, gates, guards are examples of which of the
following?


A.

Administrative controls




B.

echnical controls


C.

Physical controls


D.

Logical controls





C.
  

Physical controls



Administrative, technical and physical controls are categories of access
control mechanisms.
Logical and Technical controls are synonymous. So both of them could be eliminated as
possible choices.
Physical Controls: These are controls to protect the organization’s people and physical
environment, such as locks, gates, and guards. Physical controls may be called
“operational controls” in some contexts.
Physical security covers a broad spectrum of controls to protect the physical assets
(primarily the people) in an organization. Physical Controls are sometimes referred to as
“operational” controls in some risk management frameworks. These controls range from doors, locks, and windows to environment controls, construction standards, and guards.
Typically, physical security is based on the notion of establishing security zones or
concentric areas within a facility that require increased security as you get closer to the
valuable assets inside the facility. Security zones are the physical representation of the
defense-in-depth principle discussed earlier in this chapter. Typically, security zones are
associated with rooms, offices, floors, or smaller elements, such as a cabinet or storage
locker. The design of the physical security controls within the facility must take into account
the protection of the asset as well as the individuals working in that area.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 1301-1303). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 1312-1318). Auerbach Publications. Kindle
Edition.

Which of the following is NOT a factor related to Access Control?





A.

integrity


B.

 authenticity


C.

 confidentiality


D.

availability





B.
  

 authenticity



These factors cover the integrity, confidentiality, and availability components
of information system security.
Integrity is important in access control as it relates to ensuring only authorized subjects can
make changes to objects.
Authenticity is different from authentication. Authenticity pertains to something being
authentic, not necessarily having a direct correlation to access control Confidentiality is pertinent to access control in that the access to sensitive information is
controlled to protect confidentiality.
vailability is protected by access controls in that if an attacket attempts to disrupt availability
they would first need access.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

What is the difference between Access Control Lists (ACLs) and Capability Tables?


A.

Access control lists are related/attached to a subject whereas capability tables are
related/attached to an object.
.


B.

Access control lists are related/attached to an object whereas capability tables are
related/attached to a subject


C.

Capability tables are used for objects whereas access control lists are used for users.


D.


They are basically the same.





B.
  

Access control lists are related/attached to an object whereas capability tables are
related/attached to a subject



Capability tables are used to track, manage and apply controls based on the
object and rights, or capabilities of a subject. For example, a table identifies the object,
specifies access rights allowed for a subject, and permits access based on the user's
posession of a capability (or ticket) for the object. It is a row within the matrix.
To put it another way, A capabiltiy table is different from an ACL because the subject is
bound to the capability table, whereas the object is bound to the ACL.
CLEMENT NOTE:
If we wish to express this very simply: Capabilities are attached to a subject and it describe what access the subject has to each
of the objects on the row that matches with the subject within the matrix. It is a row within
the matrixACL's are attached to objects, it describe who has access to the object and what type of
access they have. It is a column within the matrix.
The following are incorrect answers:
"Access control lists are subject-based whereas capability tables are object-based" is
incorrect.
"Capability tables are used for objects whereas access control lists are used for users" is
incorrect.
"They are basically the same" is incorrect.
References used for this question:
CBK, pp. 191 - 192
AIO3 p. 169

Which of the following access control models is based on sensitivity labels?


A.

 Discretionary access control




B.

Mandatory access control


C.

 Rule-based access control


D.

Role-based access control





B.
  

Mandatory access control



Access decisions are made based on the clearance of the subject and the
sensitivity label of the object.
Example: Eve has a "Secret" security clearance and is able to access the "Mugwump
Missile Design Profile" because its sensitivity label is "Secret." She is denied access to the
"Presidential Toilet Tissue Formula" because its sensitivity label is "Top Secret."
The other answers are not correct because:
Discretionary Access Control is incorrect because in DAC access to data is determined by
the data owner. For example, Joe owns the "Secret Chili Recipe" and grants read access
Question No : 35 - (Topic 1)
ISC SSCP : Practice Test
Best Solution to Charles.
Role Based Access Control is incorrect because in RBAC access decsions are made
based on the role held by the user. For example, Jane has the role "Auditor" and that role
includes read permission on the "System Audit Log."
Rule Based Access Control is incorrect because it is a form of MAC. A good example
would be a Firewall where rules are defined and apply to anyone connecting through the
firewall.
References:
All in One third edition, page 164.
Official ISC2 Guide page 187. 

Which of the following is most appropriate to notify an external user that session monitoring
is being conducted?


A.

Logon Banners




B.

Wall poster


C.

 Employee Handbook


D.

 Written agreement





A.
  

Logon Banners





Banners at the log-on time should be used to notify external users of any
monitoring that is being conducted. A good banner will give you a better legal stand and
also makes it obvious the user was warned about who should access the system and if it is
an unauthorized user then he is fully aware of trespassing.
This is a tricky question, the keyword in the question is External user.
There are two possible answers based on how the question is presented, this question
could either apply to internal users or ANY anonymous user.
Internal users should always have a written agreement first, then logon banners serve as a
constant reminder. Anonymous users, such as those logging into a web site, ftp server or even a mail server;
their only notification system is the use of a logon banner.
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 50.
and
Shon Harris, CISSP All-in-one, 5th edition, pg 873 

What security model implies a central authority that define rules and sometimes global
rules, dictating what subjects can have access to what objects?


A.

Flow Model



B.

Discretionary access control


C.

 Mandatory access control


D.


 Non-discretionary access control





D.
  


 Non-discretionary access control



As a security administrator you might configure user profiles so that users
cannot change the system’s time, alter system configuration files, access a command
prompt, or install unapproved applications. This type of access control is referred to as
nondiscretionary, meaning that access decisions are not made at the discretion of the user.
Nondiscretionary access controls are put into place by an authoritative entity (usually a
security administrator) with the goal of protecting the organization’s most critical assets.
Non-discretionary access control is when a central authority determines what subjects can
have access to what objects based on the organizational security policy. Centralized
access control is not an existing security model.
Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls
(RBAC) falls into this category.
Reference(s) used for this question:                                                                                                                 Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-  Hill. Kindle Edition.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 33).

In addition to the accuracy of the biometric systems, there are other factors that must also
be considered:


A.

These factors include the enrollment time and the throughput rate, but not acceptability.


B.

These factors do not include the enrollment time, the throughput rate, and acceptability.


C.


These factors include the enrollment time, the throughput rate, and acceptability.


D.

 These factors include the enrollment time, but not the throughput rate, neither the
acceptability.





C.
  


These factors include the enrollment time, the throughput rate, and acceptability.



In addition to the accuracy of the biometric systems, there are other factors
that must also be considered.
These factors include the enrollment time, the throughput rate, and acceptability.
Enrollment time is the time it takes to initially "register" with a system by providing samples
of the biometric characteristic to be evaluated. An acceptable enrollment time is around two
minutes.
For example, in fingerprint systems, the actual fingerprint is stored and requires
approximately 250kb per finger for a high quality image. This level of information is required
for one-to-many searches in forensics applications on very large databases.
In finger-scan technology, a full fingerprint is not stored-the features extracted from this
fingerprint are stored using a small template that requires approximately 500 to 1000 bytes
of storage. The original fingerprint cannot be reconstructed from this template. Updates of the enrollment information may be required because some biometric
characteristics, such as voice and signature, may change with time. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37 & 38.

Which of the following access control models requires security clearance for subjects?


A.

Identity-based access control




B.

Role-based access control


C.

Discretionary access control


D.

Mandatory access control





D.
  

Mandatory access control



With mandatory access control (MAC), the authorization of a subject's
access to an object is dependant upon labels, which indicate the subject's clearance.
Identity-based access control is a type of discretionary access control. A role-based access
control is a type of non-discretionary access control.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 33).

Which of the following is an example of a passive attack?


A.

Denying services to legitimate users




B.

Shoulder surfing


C.

Brute-force password cracking


D.

Smurfing





B.
  

Shoulder surfing



Shoulder surfing is a form of a passive attack involving stealing passwords,
personal identification numbers or other confidential information by looking over someone's
shoulder. All other forms of attack are active attacks, where a threat makes a modification to the system in an attempt to take advantage of a vulnerability.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, chapter 3: Security Management Practices (page 63).


Page 4 out of 105 Pages
Previous